Loading ...

Play interactive tourEdit tour

Windows Analysis Report Total_order_details_1231333.xlsb

Overview

General Information

Sample Name:Total_order_details_1231333.xlsb
Analysis ID:439079
MD5:7a915d04a60c318f37d2586b02587a26
SHA1:695dc190cd70d39a16a003400581353065f964af
SHA256:d8c12fb3fc8f75b90c2a11a84b190c7fb3736f08c78a45ab336bacd39f19d3b9
Tags:xlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Yara detected Xls With Macro 4.0

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 7004 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 6700 cmdline: regsvr32 -s ..\kdldyeff.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s ..\kdldyeff.dll, CommandLine: regsvr32 -s ..\kdldyeff.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 7004, ProcessCommandLine: regsvr32 -s ..\kdldyeff.dll, ProcessId: 6700

    Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Source: global trafficTCP traffic: 192.168.2.4:49735 -> 185.180.199.121:80
    Source: global trafficTCP traffic: 192.168.2.4:49735 -> 185.180.199.121:80
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.cortana.ai
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.office.net
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.onedrive.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://augloop.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cdn.entity.
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cortana.ai
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cortana.ai/api
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://cr.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dev.cortana.ai
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://directory.services.
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://graph.windows.net
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://graph.windows.net/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://login.windows.local
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://management.azure.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://management.azure.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://messaging.office.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://ncus.contentsync.
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://officeapps.live.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://onedrive.live.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://outlook.office.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://outlook.office365.com/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://settings.outlook.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://staging.cortana.ai
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://tasks.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://wus2.contentsync.
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 1815CD0B-2738-4D28-B541-12A8E74F2E4F.0.drString found in binary or memory: https://www.odwebp.svc.ms

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable editing " to unlock the editing document downloaded from the ir 13 14 Protected View This f
    Source: Screenshot number: 4Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start " 18 the decryption of the doc
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: Total_order_details_1231333.xlsbInitial sample: CALL
    Source: Total_order_details_1231333.xlsbInitial sample: CALL
    Source: Total_order_details_1231333.xlsbInitial sample: EXEC
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
    Source: classification engineClassification label: mal64.expl.evad.winXLSB@3/9@0/1
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{F2A7B5FE-39A0-4068-8850-AED8943E8D8D} - OProcSessId.datJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Total_order_details_1231333.xlsbInitial sample: OLE zip file path = xl/media/image1.png
    Source: Total_order_details_1231333.xlsbInitial sample: OLE zip file path = xl/media/image2.png
    Source: Total_order_details_1231333.xlsbInitial sample: OLE zip file path = xl/media/image3.png
    Source: Total_order_details_1231333.xlsbInitial sample: OLE zip file path = xl/media/image4.png
    Source: Total_order_details_1231333.xlsbInitial sample: OLE zip file path = xl/media/image5.png
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: regsvr32.exe, 00000007.00000002.712988411.0000000003690000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: regsvr32.exe, 00000007.00000002.712988411.0000000003690000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: regsvr32.exe, 00000007.00000002.712988411.0000000003690000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: regsvr32.exe, 00000007.00000002.712988411.0000000003690000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: Yara matchFile source: app.xml, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting1DLL Side-Loading1Process Injection1Regsvr321OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution21Boot or Logon Initialization ScriptsDLL Side-Loading1Masquerading1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.